Last year WhatsApp added end-to-end encryption to its service and promised that even the company itself couldn’t access your messages, but it seems that’s not true.
WhatsApp is able to generate new encryption keys for offline users, and force the sender to re-encrypt and re-send messages using the new keys for any messages that haven’t been marked as delivered. By re-encrypting and re-broadcasting messages in this way WhatsApp is able to intercept them.
This security backdoor, which was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley, means that WhatsApp can disclose its messaging records if asked to by a government agency.
Not only that, but recipients of messages won’t even have any clue that they’ve been intercepted, and senders will only be alerted to the change in encryption if they turn on security notifications from the settings screen.
A feature, not a fault
The backdoor should be easily fixable, as it’s not a core part of the Signal protocol that WhatsApp uses for its encryption, but a fix may not be incoming.
WhatsApp was alerted to the flaw in April 2016, but actually sees it as a feature, claiming that a contact’s security codes can change when a phone or SIM card is switched, or WhatsApp is re-installed, and the company wants to ensure messages are still delivered when that happens – which they wouldn’t be if the backdoor is plugged.
Handling things in this way ensures WhatsApp stays simple, but means it’s not as secure as you may have thought. If security is vital to you, consider switching to Signal – an app which uses the same encryption, minus the backdoor.